The vulnerability, designated CVE-2019-6340, exists because "some field types do not properly sanitize data from non-form sources," the open source Drupal project team says in a security alert. "This can lead to arbitrary PHP code execution in some cases."

To patch the problem, Drupal on Wednesday released "critical releases" that update Drupal 8.6.x to Drupal 8.6.10, and Drupal 8.5.x or earlier users to Drupal 8.5.11.

"Be sure to install any available security updates for contributed projects after updating Drupal core," the project team says. "No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates."

What's at Risk?

Drupal says versions of the CMS are at risk if they meet one of the following conditions:

Drupal 8 Web Services: "A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests."

Other web services modules: "The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7."

Drupal says that while Web Services Module version 7 is not at risk, it recommends applying all possible updates regardless.

In lieu of immediately installing updates, Drupal says the flaw can be mitigated by disabling all web services modules or else configuring services to not all PUT, PATCH or POST requests to web services resources. "Note that web services resources may be available on multiple paths depending on the configuration of your server(s)," Drupal warns.

The project team also notes that any versions of Drupal that are 8.5.x or earlier are "end of life" and will see no further security updates.

Popular CMS

Drupal is the world's third most popular content management system, commanding 4 percent market share, after Joomla at 5 percent and CMS heavyweight WordPress, which owns 60 percent of the market, according to W3Techs.com.

This isn't the first time that a critical flaw in Drupal has been targeted by attackers. Last year, Mursch warned that at least 400 websites had hacked by attackers who exploited a remote-code-execution flaw in Drupal to install code designed to mine for the virtual currency known as monero.

Many administrators of Drupal CMS sites fail to patch their installations in a timely manner. Two months after the Drupal project team patched two "Drupalgeddon" flaws early last year, security firm Malwarebytes reported that it was still finding dozens of sites running vulnerable versions of the CMS (see: Websites Still Under Siege After 'Drupalgeddon' Redux).

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;